[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Where to start a migration from passwd/shadow/smbpasswd to openldap
On Thursday, 25 March 2010 14:12:40 Götz Reinicke - IT-Koordinator wrote:
> Hi,
>
> a couple of weeks ago I started to learn ldap and set up some test
> servers with the latest openldap for centos 5.4. I learned about
> schemas, ldif, ldap browsers etc. So I have an advanced basic knowledge
> about the technical fundamentals.
>
> The primary goal is to have the login information for our mail and
> fileserver system in one place.
>
> Right now we do use sendmail, dovecot and samba.
>
> After testing some of the migration tools for migrating posix and
> sambaSam accounts, I was asking myselve: what is the best way to start
> the migration? Right now the directory is completely empty, so I can
> start from scratch.
>
> Both types of accounts do have different attributes and furthermore I'd
> like to use some inetOrgPerson/organizationalPerson attributes.
The only thing to worry about here is which structural objectclass to use, it
is usually either a choice between 'account' and 'inetOrgPerson'. There is no
issue with posixAccount or sambaSamAccount, they are both auxiliary. For the
rgc2307 vs rfc2307bis group issue, I don't think samba supports rfc2307bis, so
you should go with rfc2307 (using memberUid for denoting members of groups,
holding the username, not the DN).
> So should I first run the smbldaptool or first fill the directory with
> the migrate_....sh script?
You may have to do some preparation of the directory, for example, if you are
going to use smbldap-tools in your final system, you could use smbldap-populate
for the initial setup (ensure you set the SIDs correctly in the configuration
file).
Once you have samba and smbldap-tools configured correctly, you can migrate
your samba accounts to LDAP using pdbedit, which should use the 'add user
script' and 'add machine script' commands and/or the direct LDAP write support
in samba to do the migration of the accounts for you.
If you have a test system available, I would definitely test first, especially
if you are running samba as a DC.
Regards,
Buchan